XTRF system compliance with GDPR

What is GDPR and why should I care?

GDPR stands for General Data Protection Regulation. It is an act of the European Parliament, the Council of the European Union and the European Commission, which aims to improve data protection for all individuals within the European Union by making it well-defined and unified among all the EU member states. The goal is to give control of personal data back to the people.

GDPR has been legally binding since May 25th 2018.

If you cooperate with partners based in the EU, then you have to take GDPR into consideration when running your business.

Is XTRF system GDPR ready?

XTRF (version 8 and newer) allows your company to meet the new legal requirements. The provisions of the regulation are applied by the following functionalities:

  • Accessing and correcting personal data by Clients and Vendors via the Client Portal and the Vendor Portal.

  • Erasing personal data from the XTRF system upon request by the data owner (Client, Vendor or Employee).

  • Tracking consents from Clients and Vendors for processing of their personal data (by means of Custom Fields or Categories).

  • Exporting personal data to a structured, commonly used and machine-readable format (CSV).

How does XTRF follow the Privacy by Design principle?

GDPR encourages organizations to take a ‘privacy by design’ approach, which means that privacy and data protection should be a key consideration of any project, both in its early stages and throughout its lifecycle. In XTRF, the design process plays a crucial role in system development and assuring high quality. Providing privacy and data protection to our clients and to their partners has always been a key priority for us. For this reason, we have included a special phase in the design process to investigate how changes in system behavior may affect the privacy and security of personal data.

We have also defined three design principles strictly focused on GDPR:

  • XTRF system must allow for fulfilment of GDPR requirements, but must not impose a way how they should be fulfilled.

  • XTRF system may simplify the fulfilment of GDPR requirements by delivering functions that facilitate or automate GDPR-related operations, but they should be enabled only when specifically requested by the user.

  • XTRF system may suggest and recommend to the user how to configure the system so that it meets GDPR requirements.

How is personal information protected within XTRF system and infrastructure?

XTRF company acts as a data controller of personal data of XTRF system owners (among them your organization). When using XTRF onCloud service, XTRF company is also a processor of personal data of the XTRF owner's partners. XTRF system owner (your organisation) is a data controller of their partners' personal data.

XTRF implements security procedures to help protect all data stored in XTRF system from security attacks. This applies to both services, XTRF onCloud and XTRF onPremises. Security mechanisms used by XTRF include:

  • Secure password-protected database

  • File system with permission-based access restrictions

  • Secure communication between web browser and server via HTTPS protocol using a certificate signed by a trusted authority

  • Regular off-site backups

Note: If you use XTRF onPremises service, then security of the system partially depends on your internal infrastructure configuration.

What types of personal data can I store in the XTRF system?

XTRF system can store personal data of your Clients (Client Contact Persons), Vendors (Vendor Contact Persons) and Users (i.e. your employees). Depending on a person's role, different types of personal data can be provided and stored in their profile in XTRF.

Personal data types that can be stored in the XTRF system:

  • Name

  • Gender

  • Billing address

  • Mailing address

  • Phone/fax numbers

  • E-mail addresses

  • Department

  • Position

  • Contact languages, Native languages

  • Social media identifiers

  • Photos

  • Payment methods (bank account data or other payment method identifiers)

  • Tax numbers

  • Contract number

  • HR Data

  • Certificates, CVs, education, work experience etc.

  • Username in other systems

  • Languages, specializations and rates

  • IT Tools

  • Vendor Holidays

We advise against storing other types of personal data (e.g. credit card number) in the XTRF system.

Where can I store personal data in the XTRF system?

XTRF system can store personal data of your Clients (Client Contact Persons), Vendors (Vendor Contact Persons) and Users (i.e. your employees). In order to simplify personal data administration (in accordance with GDPR) personal data should be stored only in specific areas and fields in the system. When stored properly, the data are secure and easy to track or erase when necessary. We advise against storing personal data in any other place (e.g. Custom Field).

XTRF system areas where personal data can be safely stored:

  • Client Profile and Contact Person Profile

    • Main Data (Identification Data, Sales Data, Social Media, Billing Address, Mailing Address, Invoicing, System Accounts)

    • Rates

    • Portal Settings

  • Vendor Profile and Contact Person Profile

    • Main Data (Identification Data, Sales Data, Social Media, Billing Address, Mailing Address, Invoicing, IT Tools, System Accounts, Acceptance of Terms)

    • Competencies & Rates

    • Files & Qualifications

    • Holidays

  • System User Profile

    • General Info

    • Social Media

  • Project, Quote, Opportunity

    • Client Name

    • Client Contact Persons

    • Vendor Names

    • Vendor Contact Persons

    • Files (note: files can be archived using a dedicated Archive Project/Quote functionality)

  • Invoice

    • Main Data

    • Client Data

    • Notes

  • CRM (E-mail, Memo, Task, Call, Event)

Erasing personal data from XTRF system upon request by the data owner (Client, Vendor or User)

According to GDPR, a person (data owner) can request to erase their personal data from a data controller's system. Being an XTRF user, you may be requested by your client, vendor or employee to do so. XTRF will help you fulfil the obligation by allowing you to erase the personal data of a client (Client Contact Person), vendor (Vendor Contact Person) or employee from the system, including:

  • Client, Vendor or Employee profile

  • Client or Vendor Contact Person

  • Projects, Quotes, Opportunities

  • CRM

  • History

Additionally, it is possible to archive Projects and Quotes, which moves all associated files (including those containing personal data) to an external location, where they can be safely deleted. Read more about archiving Projects and Quotes.


Invoices are a special case, because they are often required by the legal regulations to be stored for a longer period of time. XTRF allows erasing Invoices independently from personal data upon request by the data owner.

XTRF system can occasionally store some data (including personal data) internally for technical reasons (caches, logs etc.). All of these files are temporary and cleaned regularly, so any personal data are securely erased therefrom.

Read more about erasing personal data from XTRF.

Tracking consents from Clients and Vendors for processing their personal data

GDPR requires a data controller to obtain consent from the owner for the processing of their personal data. Every consent needs to be:

  • Unbundled

  • Active opt-in

  • Granular

  • Named

  • Easy to withdraw

XTRF system can help you track the consents from your Clients and Vendors e.g. with the use of Custom Fields. You can name the Custom Field by the consent in question and introduce it as a checkbox or a simple Yes / No drop-down list scoped at Clients, Vendors or individual Contact Persons. Alternatively, you can use Categories to mark Clients and Vendors who have given you their data processing consents.

Exporting personal data to a structured, commonly used and machine-readable format (CSV)

Personal data needs to be portable according to GDPR. This means it should be possible to export them to a structured, commonly used and machine-readable format upon request by the data owner.

XTRF Smart Views (which are used, among other things, to display lists of Vendors, Clients and their Contact Persons) offer an export function that can be used to satisfy the GDPR requirements. You can select one or more persons and export their data into the CSV file format.

XTRF compliance with GDPR

More information

The information presented in this article refers to XTRF system functionality and focuses on how it can help fulfil the GDPR requirements. XTRF company responsibility is, however, limited to the role of data processor. As a data controller, you need to ensure that your company procedures are also compliant with GDPR. Although XTRF system will guide you through GDPR by recommending good practices in some moments, the final responsibility for protecting and processing personal data of your partners is on your side. We advise you to consult your lawyer to ensure your company conforms to all GDPR provisions and local regulations.

Personnel GDPR

This article was helpful for 13 people. Is this article helpful for you?